From 682ce1d44f2b6e890ad38d48c7ea187a91087217 Mon Sep 17 00:00:00 2001 From: nachundu Date: Mon, 24 Aug 2020 11:50:59 +0530 Subject: [PATCH 1/4] fixed access denied issue --- src/deployments/cdk/src/deployments/defaults/step-1.ts | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/deployments/cdk/src/deployments/defaults/step-1.ts b/src/deployments/cdk/src/deployments/defaults/step-1.ts index fe9b17f02..ba234c079 100644 --- a/src/deployments/cdk/src/deployments/defaults/step-1.ts +++ b/src/deployments/cdk/src/deployments/defaults/step-1.ts @@ -234,6 +234,16 @@ function createCentralLogBucket(props: DefaultsStep1Props) { }), ); + logBucket.addToResourcePolicy( + new iam.PolicyStatement({ + principals: [ + new iam.ServicePrincipal('config.amazonaws.com'), + ], + actions: ['s3:ListBucket'], + resources: [`${logBucket.bucketArn}`], + }), + ); + // Allow cross account encrypt access for logArchive bucket logBucket.encryptionKey?.addToResourcePolicy( new iam.PolicyStatement({ From c1ab68b9b801c7af28c5eba46938f8b337baa7ae Mon Sep 17 00:00:00 2001 From: nachundu Date: Mon, 24 Aug 2020 11:52:39 +0530 Subject: [PATCH 2/4] added comment --- src/deployments/cdk/src/deployments/defaults/step-1.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/src/deployments/cdk/src/deployments/defaults/step-1.ts b/src/deployments/cdk/src/deployments/defaults/step-1.ts index ba234c079..72bda0048 100644 --- a/src/deployments/cdk/src/deployments/defaults/step-1.ts +++ b/src/deployments/cdk/src/deployments/defaults/step-1.ts @@ -234,6 +234,7 @@ function createCentralLogBucket(props: DefaultsStep1Props) { }), ); + // Permission to allow checking existence of AWSConfig bucket logBucket.addToResourcePolicy( new iam.PolicyStatement({ principals: [ From d613d1d5b431cffb3c76ff415318243feeb84235 Mon Sep 17 00:00:00 2001 From: nachundu Date: Mon, 24 Aug 2020 12:02:57 +0530 Subject: [PATCH 3/4] fixed lint issues --- src/deployments/cdk/src/deployments/defaults/step-1.ts | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/deployments/cdk/src/deployments/defaults/step-1.ts b/src/deployments/cdk/src/deployments/defaults/step-1.ts index 72bda0048..3c4b24a73 100644 --- a/src/deployments/cdk/src/deployments/defaults/step-1.ts +++ b/src/deployments/cdk/src/deployments/defaults/step-1.ts @@ -237,9 +237,7 @@ function createCentralLogBucket(props: DefaultsStep1Props) { // Permission to allow checking existence of AWSConfig bucket logBucket.addToResourcePolicy( new iam.PolicyStatement({ - principals: [ - new iam.ServicePrincipal('config.amazonaws.com'), - ], + principals: [new iam.ServicePrincipal('config.amazonaws.com')], actions: ['s3:ListBucket'], resources: [`${logBucket.bucketArn}`], }), From 353756ad9f68b4558a1788ee8741bd80e9f6305d Mon Sep 17 00:00:00 2001 From: nachundu Date: Wed, 26 Aug 2020 14:18:59 +0530 Subject: [PATCH 4/4] added putBucket policy to the config role --- src/deployments/cdk/src/deployments/iam/step-1.ts | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/src/deployments/cdk/src/deployments/iam/step-1.ts b/src/deployments/cdk/src/deployments/iam/step-1.ts index a5572d349..2fba24d4b 100644 --- a/src/deployments/cdk/src/deployments/iam/step-1.ts +++ b/src/deployments/cdk/src/deployments/iam/step-1.ts @@ -29,6 +29,21 @@ export async function createConfigServiceRoles(props: IamConfigServiceRoleProps) managedPolicies: [iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSConfigRole')], }); + /** + * + * As per the documentation, the config role should have + * the s3:PutObject permission to avoid access denied issues + * while AWS config tries to check the s3 bucket (in another account) write permissions + * https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy.html + * + */ + configRecorderRole.addToPrincipalPolicy( + new iam.PolicyStatement({ + actions: ['s3:PutObject'], + resources: ['*'], + }), + ); + new CfnIamRoleOutput(accountStack, `ConfigRecorderRoleOutput`, { roleName: configRecorderRole.roleName, roleArn: configRecorderRole.roleArn,